NDR: POC Guide & Frequently Asked Questions (FAQs)
Description
Description
The SonicSentry™ NDR service offers advanced network detection, syslog ingestion, SOC alerting, and actionable reporting, all designed to help partners identify malicious behavior before it becomes a full-blown incident. This FAQ is intended to help you better understand the 14-day Proof of Concept (PoC) and what to expect at each step.
What is the goal of the PoC?
The goal is simple: evaluate the SonicSentry platform, including the SIEM, sensors, and SOC services, in a real-world setting. This trial lets you see how data is collected, ingested, analyzed, and responded to across your own devices and environment.
What is the timeline of the PoC?
The PoC is a 14-day engagement that starts after we confirm data is flowing correctly into the SIEM platform.
What are the phases of the PoC?
Phase 1 – Discovery
- You’ll receive a discovery template to complete. This helps us gather the info needed to build out your environment in the SIEM platform.
Phase 2 – Sensor Deployment & Syslog Forwarding
- This is completed by you, the partner. You’ll:
- Choose and deploy a supported sensor
- Configure the appropriate network devices to send syslogs to that sensor
Phase 3 – Data Verification
- Once sensors and syslog forwarding are in place:
- MSS engineers will verify log ingestion into the SIEM
- We’ll also enable weekly ingestion reports and alerts to notify you if data ever stops flowing
Is there a Kick-Off call?
Not for this offering. The PoC is designed to be lightweight and efficient. After you submit the discovery form and we provision your tenant, the rest happens in your environment.
Note: SonicWall MSS does not make changes to partner environments. We cannot configure your firewalls, switches, or sensors due to liability concerns.
Need help? Just reply to your ticket to request a 1:1 session, your implementation engineer will send a link to schedule time.
Are SOC services included in the PoC?
Yes! Your environment will be monitored by our 24/7 SOC for the full duration of the PoC. Any alerts generated will be processed just like they would in a production environment.
What happens if a compromise is identified during the PoC?
If our SOC detects what appears to be a legitimate compromise:
- The PoC will immediately end
- You’ll be asked to decide whether to:
- Convert to full production service, or
- Discontinue services altogether
Important: This PoC is not a replacement for Incident Response. If you suspect an active breach, notify us and follow your IR procedures.
When does the PoC officially start?
The 14-day clock starts only after we’ve confirmed that:
- Syslog data is being received from your devices
- Data is readable and usable in the SIEM platform
We want you to have the full evaluation period with working data, not burn days on setup.
What if I don’t complete every step of the PoC process?
We understand that unforeseen circumstances might arise during your PoC that might prevent you from focusing on/evaluating every feature. In many circumstances, PoC’s only progress so far due to lack of time/availability of the evaluator. Unfortunately, we can only extend the PoC past the 14-days if there are technical issues that are related specifically to the product. We ask that all potential partners make the best effort to progress the PoC as far as possible to have a full evaluation of the products. The benefit to our offering model, is that a partner may proceed to evaluate the offering on a consumption based & month to month offering in a live offering until they have had enough time to decide if this is the right solution for their business.
What are the deliverables from SonicSentry during the PoC?
- SIEM Tenant provisioning
- Alerting/reporting based on sensor health and log ingestion
- Security Operations Center (SOC) services
- Detection and alerting of identified abnormal, suspicious or malicious activity
- Initial response as outlined by our SOC EPP Alert Processing Summary
- Implementation Reports sent twice a month in assistance with monitoring of environment health
- Bi-weekly Implementation Reports covering ingestion health
- Documentation and training support
What are my responsibilities as a partner?
Partners are responsible for:
- Completing the discovery template
- Reviewing NDR: Sensor Requirements to ensure compatibility
- Deploying and maintaining the sensor(s)
- Configuring syslog forwarding from applicable devices
- Monitoring sensor health and device logging status
- Removing old or duplicate sensors and notifying MSS
- Investigating alerts issued by the SonicSentry SOC
- Communicating any roadblocks or support needs via your deployment ticket
How do I move forward after the PoC?
Near the end of the PoC, you’ll receive a Wrap-Up email with next steps.
- If no issues are reported, MSS will automatically transition your environment to production
- In most cases, you don’t need to do anything, we’ll handle the backend changes and billing activation
- If any action is required on your part, it will be clearly stated in the wrap-up message
What if I decide not to move forward?
While we hope everyone sees the value of the offering and tools we are using, there are times where it does not meet the requirements of some organizations. If a partner opts to not move forward after the PoC, the following actions will be taken before the PoC end date:
Before the PoC ends, the following actions will be taken:
SonicSentry will:
- Remove your sensors from the SIEM console
You will need to:
- Decommission sensors from your environment
- Disable syslog forwarding from all devices
How do I get started / what are the next steps?
- Review sensor options here: NDR: Supported Firewalls & Sensor Options
- Decide on your sensor deployment type and update your ticket with your selection
Once received, our implementation team will begin provisioning your environment and walk you through next steps!